Alright, I'll add RS256 and http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 as mandatory to implement in the next revision of draft-ietf-oauth-jwt-bearer and draft-ietf-oauth-saml2-bearer respectively.
Thanks for the pointers, Stephen. On Thu, Oct 16, 2014 at 3:57 PM, Kathleen Moriarty < kathleen.moriarty.i...@gmail.com> wrote: > > > On Thu, Oct 16, 2014 at 5:39 PM, Brian Campbell < > bcampb...@pingidentity.com> wrote: > >> Hiya in return and inline below... >> >> On Thu, Oct 16, 2014 at 3:00 PM, Stephen Farrell < >> stephen.farr...@cs.tcd.ie> wrote: >> >>> >>> Hmm. So the SAML one only seems to have RSA-SHA1 as the MTI and the >>> JOSE one has only H256 as required. >>> >>> Doesn't that seem like one is unacceptably old and the other >>> is not great for this purpose? >>> >> >> Admittedly, I was a little worried you'd say that :) >> >> >>> >>> My suggestion would be to add rsa-sha256 as MTI for these, as an >>> addition to whatever JOSE and SAML make MTI. But I'd be happy to >>> clear if you made any modern signature alg MTI. >>> >>> >> Honestly, in my view, an MIT on these doesn't make a whole lot of sense >> as I think what's actually implemented/supported will be dictated by the >> larger deployments of SAML/SAMLP or JWT/JOSE/OpenID Connect. My feeling is >> that an MIT in these specs would likely be ignored and/or not influence >> implementers/deployers. So my preference would be to leave MTI out of these. >> >> But if you're not swayed by that line of thinking, and I'm guessing >> you're not, rsa-sha256 is probably the most appropriate choice. Could you >> give some guidance and/or point to examples of where and how to say that >> appropriately in the documents? Thanks! >> > > I'm going to back Stephen up on this one. It best that we do point out > the right thing to do, even if it's not always followed. Some will expect > implementations to be complaint to the standard and that will hopefully > drive implementations to better choices for algorithms. We have too many > issues of deployed code and applications using things they should not > (SSLv3). > > >> >> >>> Cheers, >>> S. >>> >>> PS: Stuff below is fine. >>> >>> >> Great, thank you. >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > > -- > > Best regards, > Kathleen >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
